Some applications of higher dimensional isogenies to elliptic curves

Preliminary version

DAMIEN ROBERT

Abstract. We give two applications of the “embedding Lemma”. The first one is a de-
terministic polynomial time (in log 𝑞) algorithm to compute the endomorphism ring
End(𝐸) of an ordinary elliptic curve 𝐸/𝔽𝑞 , provided we are given the factorisation of Δ𝜋 .
In particular, this computation can be done in quantum polynomial time.
The second application is an algorithm to compute the canonical lift of 𝐸/𝔽𝑞 , 𝑞 = 𝑝𝑛 ,
̃
(still assuming that 𝐸 is ordinary) to precision 𝑚 in time 𝑂(𝑛𝑚 log𝑂(1) 𝑝). We deduce
̃ 2 𝑂(1)
a point counting algorithm of complexity 𝑂(𝑛 log 𝑝). In particular the complexity
is polynomial in log 𝑝, by contrast of what is usually expected of a 𝑝-adic cohomology
computation. This algorithm generalizes to ordinary abelian varieties.

1. Introduction
If 𝛼1 , 𝛼2 are two endomorphisms of an elliptic curve 𝐸 of degree 𝑎1 and 𝑎2 , then 𝛼1 ∘ 𝛼2
is of degree 𝑎1 𝑎2 . However it is harder to control the degree of the sum; by Cauchy-Schwartz
we can bound it as: (𝑎1/2 1/2 2 1/2 1/2 2
1 − 𝑎2 ) ≤ deg(𝛼1 + 𝛼2 ) ≤ (𝑎1 + 𝑎2 ) (unless 𝛼1 = −𝛼2 ).
And 𝛼1 + 𝛼2 is of degree 𝑎1 + 𝑎2 if and only if 𝛼1 𝛼2̃ is of trace 0.
If 𝛼1 commutes with 𝛼2 , we can instead use Kani’s lemma [Kan97, § 2] to build an
endomorphism 𝐹 in dimension 2 on 𝐸2 which is an (𝑎1 + 𝑎2 )-isogeny (so is of degree
(𝑎1 + 𝑎2 )2 since we are in dimension 2). So by going to higher dimension we can combine
degrees additively. The proof of this lemma is very simple (a simple two by two matrix
computation), but its powerful algorithmic potential went unnoticed until Castrick and
Decru applied it in [CD22] to attack on SIDH.
We can combine Kani’s lemma (extended to higher dimension) with Zarhin’s trick: for any
𝑚 ∈ ℕ, it is possible to build an 𝑚-isogeny on 𝐸𝑢 where 𝑢 = 1, 2 or 4 depending on whether
𝑚 is a sum of 1, 2 or 4 squares, see [Rob22a]. The same ideas hold for an abelian variety,
which yield the following embedding lemma: for any 𝑚 > 0, an 𝑁-isogeny 𝑓 ∶ 𝐴 → 𝐵 in
dimension 𝑔 of principally polarised abelian varieties can always be efficiently embedded
into an 𝑁 + 𝑚-isogeny 𝐹 in dimension 8𝑔 (and sometimes 4𝑔 or 2𝑔). Indeed, if 𝑢 is as
above, we can build 𝑚-isogenies 𝛼𝐴 , 𝛼𝐵 on 𝐴𝑢 , 𝐵𝑢 such that 𝛼𝐵 𝑓 = 𝑓 𝛼𝐴 , and take 𝐹 to be
𝛼 −𝑓 ̃
endomorphism of 𝐴𝑢 × 𝐵𝑢 given by 𝐹 = ( 𝐴 ). We remark that 𝐹 embeds both 𝑓 and
𝑓 𝛼 ̃𝐵
its dual 𝑓. ̃ This has been applied to break SIDH in [CD22; MM22; Rob22a].
More generally, let us define the 𝑁-evaluation problem as follow: given an 𝑁-isogeny
𝑓 ∶ 𝐴/𝑘 → 𝐵/𝑘 and a point 𝑄 ∈ 𝐴(𝑘), evaluate 𝑓 (𝑄). Here we remain deliberately vague
about how 𝑓 is specified, usually it will be by its kernel 𝐾, which is a maximal isotropic
subgroup in 𝐴[𝑁]. The converse problem may be defined as follow: given an 𝑁-isogeny 𝑓
as above, 𝑃 ∈ 𝐴[𝑁 ′ ] and the tuple (𝑃, 𝑓 (𝑃)) along with a point 𝑄 ∈ 𝐴(𝑘), the (𝑁, 𝑁 ′ )-
interpolation problem ask to evaluate 𝑓 (𝑄). Of course, 𝑁 ′ needs to be large enough compared

Date: December 13, 2022.

1
2 DAMIEN ROBERT

to 𝑁 so that 𝑓 is uniquely determined by the data 𝑃, 𝑓 (𝑃). We will be interested in the following
weaker variant: the (𝑁, 𝑁 ′ )-weak interpolation problem ask to evaluate 𝑓 (𝑄) provided we
are given the value of 𝑓 on a basis of 𝐴[𝑁 ′ ].
Note that if 𝑁 = 𝑁 ′ , given the value of 𝑓 on a basis of 𝐴[𝑁] we can (up to DLP computa-
tions) recover the kernel of 𝑓, hence the weak evaluation problem reduces to the evaluation
problem in this case.
We may apply the embedding lemma to reduce the weak interpolation problem to the
evaluation problem in all case. Namely the embedding lemma gives us an 𝑁 ′ -isogeny 𝐹 that
embeds 𝑓, so evaluating 𝑓 (𝑄) can be done by evaluating 𝐹(𝑄). Furthermore, if 𝑁 ′ is prime to
𝑁, Ker 𝐹 can be completely determined by the value of 𝑓 (𝐴[𝑁]): ker 𝐹 = {(𝛼𝐴 𝑥, −𝑓 𝑥), 𝑥 ∈
𝐴𝑢 [𝑁]}. A fun fact is that in this case we do not even need to compute DLPs to recover Ker 𝐹.
So the weak (𝑁, 𝑁 ′ )-interpolation problem can always be reduced to an 𝑁 ′ -evaluation
problem in higher dimension, provided that 𝑁 ′ > 𝑁 is prime to 𝑁. In fact, by considering
2
the contragredient isogeny of 𝐹, we only need 𝑁 ′ > 𝑁, see [Rob22a, § 6.4].
This is interesting because if 𝑘 = 𝔽𝑞 is a finite field and 𝑁 ′ is powersmooth (or if 𝑁 ′ is
smooth and 𝐴[𝑁 ′ ] lives in a small extension), the 𝑁 ′ -evaluation problem can be done in
polynomial time in log 𝑞 and the smoothness bound 𝐵 of 𝑁 ′ (here we assume the dimension 𝑔
fixed). This has the following application to the 𝑁-evaluation problem: if we can evaluate 𝑓 on
the 𝑁 ′ -torsion, the evaluation problem reduces trivially to the (𝑁, 𝑁 ′ )-weak interpolation
problem, and we have just seen that this reduces to the 𝑁 ′ -evaluation problem in higher
dimension. So assuming that we have an oracle giving us this evaluation of 𝑓 on 𝐴[𝑁 ′ ], we
can reduce the 𝑁-evaluation problem into the 𝑁 ′ -evaluation problem (in higher dimension),
which can be computed in polynomial time if 𝑁 ′ is powersmooth. In other words, we embed
the 𝑁-isogeny 𝑓 into a powersmooth 𝑁 ′ -isogeny 𝐹. This application is described in more
details in [Rob22b].
Now the main obstacle of this idea is the need to evaluate 𝑓 on the 𝑁 ′ -torsion first. The
idea of this paper is that if 𝐴/𝔽𝑞 is an ordinary abelian variety, then ℤ[𝜋] is an order in
End(𝐴) (recall that for an ordinary abelian variety the endomorphism ring is invariant by
a field extension, so End(𝐴) = End𝔽𝑞 (𝐴) = End𝔽 (𝐴)). So any element 𝛼 ∈ End(𝐴) can
𝑞
be written as 𝑃𝛼 (𝜋)/𝐷 where 𝑃𝛼 is a polynomial of degree 𝑑 < 2𝑔 with integer coefficients,
and 𝐷 an integer dividing the index 𝑓𝜋 = [𝒪𝐾 ∶ ℤ[𝜋]] where 𝒪𝐾 is the maximal order in
End0 (𝐴) = End(𝐴) ⊗ℤ ℚ.
Note that since 𝐴 is principally polarised, it contains ℤ[𝜋, 𝜋] where 𝜋 = 𝑞/𝜋 (the Ver-
schiebung) is the image of 𝜋 by the Rosatti involution. This allows to write 𝛼 as a polynomial
in 𝜋, 𝜋 where this time the denominator 𝐷 divides [𝒪𝐾 ∶ ℤ[𝜋, 𝜋]], so can be smaller. We
won’t need this in the following.
Evaluating 𝛼 on a point 𝑃 ∈ 𝐴 can be done as follow: find any point 𝑃′ such that
𝑃 = 𝐷𝑃′ . Then 𝛼(𝑃) = 𝑃𝛼 (𝜋)(𝑃′ ). We remark that 𝜋 is easy to evaluate: it requires
𝑂(log 𝑞) arithmetic operations, and of course integer multiplications [𝑚] can be evaluated
in 𝑂(log 𝑚) operations on the abelian variety. But if 𝐷 has a large prime factor, finding 𝑃′
will be very expensive in general. Still, in the particular case when 𝑃 ∈ 𝐴[𝑁 ′ ], with 𝑁 ′
prime to 𝐷, then finding 𝑃′ amount to inverting 𝐷 modulo 𝑁 ′ and a scalar multiplication.
So we can evaluate 𝛼 on 𝐴[𝑁 ′ ], provided that 𝑁 ′ is prime to 𝐷, in time polynomial in log 𝑞
and the height of the coefficients of 𝑃𝛼 /𝐷. This allow us to efficiently embed 𝛼 into a higher
dimensional endomorphism 𝐹𝛼 .
Thus, if 𝛼 is an 𝑁-isogeny, taking 𝑁 ′ > 𝑁 powersmooth and prime to 𝑁 and the index
𝑓𝜋 , we can evaluate the endomorphism 𝛼 represented abstractly as above on any point
𝑄 ∈ 𝐴(𝔽𝑞 ) in time polynomial in log 𝑞 and the height of 𝛼. Indeed, we can use Mahler’s
Some applications of higher dimensional isogenies to elliptic curves 3

bound to bound linearly the height of 𝑃𝛼 from the height of 𝛼 and of the characteristic
polynomial 𝜒𝜋 of 𝜋 (we assume the dimension 𝑔 fixed here). And by Weil’s theorem, the
height of 𝜒𝜋 is linear in log 𝑞.
We will see how to apply these techniques to the computation of endomorphism rings
and canonical lifts. This paper is just a preliminary version to give a brief leisurely description
of the main algorithms, it will be followed by two technical papers giving more details and a
finer complexity analysis.

1.1. Thanks. I thank Andrew Sutherland who asked me if higher dimensional isogenies
could help computing the endomorphism ring of an elliptic curve. This led to Section 3.
I thank Jean-Marc Couveignes and Pierrick Gaudry for various discussion about other
applications of canonical lifts than point counting, and Aurel Page for brainstorming sessions
about trying to apply the same techniques as Section 4 to compute the crystalline cohomology
of a general ordinary scheme.

2. Embedding an isogeny
For our complexity analysis, we need to briefly review the results of [Rob22b].
Given an 𝑁-isogeny: 𝑓 ∶ 𝐸 → 𝐸′ over 𝔽𝑞 , we try to find 𝑁 ′ powersmooth (with pow-
ersmoothness bound 𝐵), such that 𝑚 = 𝑁 ′ − 𝑁 is a sum of 1, 2 or 4 squares. This allows to
embed 𝑓 into a 𝑁 ′ -isogeny in dimension 2𝑢.
To recover the kernel of 𝐹 and decompose it as a product of (≤ 𝐵)-isogenies, we need
to work with algebras of degree up to 𝑂(𝐵4 ). We need to push up to log 𝑁 ′ points at each
step, and each (≤ 𝐵)-isogeny evaluation cost 𝑂(𝐵2𝑔 ). Since there are up to log 𝑁 ′ steps, the
complexity of decomposing 𝐹 is 𝑂(𝐵4 𝐵2𝑢 log2 𝑁 ′ ) arithmetic operations. For subsequent
isogeny evaluations, to evaluate 𝑓 (𝑄) if 𝑄 ∈ 𝐸(𝔽𝑞 ), we work with algebra of degree up to
𝑂(𝐵2 ), and follow log 𝑁 ′ (≤ 𝐵)-isogenies, for a total cost of 𝑂(𝐵2 𝐵2𝑢 log 𝑁 ′ ) arithmetic
operations. In practice, we will take a bound 𝐵 = 𝑂(log 𝑁) and try to find 𝑁 ′ such that
log 𝑁 ′ = 𝑂(log 𝑁), so the decomposition cost is 𝑂(log6+2𝑢 𝐵) arithmetic operations and
further evaluations are in 𝑂(log3+2𝑢 𝐵) arithmetic operations.
So the smaller 𝑢, the better complexity, but the harder to find a suitable 𝑁 ′ . The easiest
case is 𝑢 = 4, we just need to find a powersmooth 𝑁 ′ > 𝑁 and prime to 𝑁. We simply take
the product of the first 𝑂(log 𝑁) primes to 𝑁, and then decompose 𝑁 ′ − 𝑁 as a sum of
squares. This cost 𝑂(log2 𝑁). The hardest case is 𝑢 = 1, we need to find 𝑁 ′ such that 𝑁 ′ − 𝑁
is a square. In general this will not be possible. This could still have some applications, eg
as in Section 4 where 𝑁 = 𝑝, if we take the base field to be of a special form. The middle
case is 𝑢 = 2. It is difficult to test if an integer 𝑁 ′ − 𝑁 is a sum of two squares (this requires
factorizing it), so a solution is to test if 𝑁 ′ − 𝑁 is prime and a sum of squares. A probabilistic
algorithm (missing a few primes) cost 𝑂(log2 (𝑁 ′ − 𝑁)). There is a heuristically a probability
of Ω(1/ log 𝑁) that 𝑁 ′ − 𝑁 is both a square and a sum of two primes, so we need to test
𝑂(log 𝑁) 𝑁 ′ . So we can find a suitable 𝑁 ′ in heuristic time 𝑂(log3 𝑁). Of course once 𝑁 ′
and the decomposition of 𝑁 ′ − 𝑁 as a sum of two squares is found, it is easy to check that
𝑁 ′ work.

3. Computing the endomorphism ring of an ordinary elliptic curve

If 𝐸/𝔽𝑞 is an ordinary elliptic curve, we can recover the characteristic polynomial 𝜒𝜋 =
𝑋2 − 𝑡𝑋 + 𝑞 of 𝜋 in polynomial time in log 𝑞 by a point counting algorithm. We can
thus recover Δ𝜋 = 𝑡2 − 4𝑞. If we know the factorisation of this discriminant, we can
4 DAMIEN ROBERT

compute its associated fundamental discriminant, hence the maximal order 𝒪𝐾 = ℤ[𝜔] of
𝐾 = ℚ(√Δ𝜋 ) = End0 (𝐸), and the factorisation of the conductor 𝑓𝜋 = [𝒪𝐾 ∶ ℤ[𝜋]]. We
can write 𝜋 = 𝑎 + 𝑓𝜋 𝜔 (where 𝑎 will depends on the trace of 𝜋, so has height 𝑂(log 𝑞)). We
know that 𝜋 − 𝑎 ∈ End(𝐸). To determine End(𝐸) is equivalent to determining the index
of End(𝐸) in 𝒪𝐾 or the index of ℤ[𝜋] in End(𝐸), and so is equivalent to determining the
largest divisor 𝑓𝐸 of 𝑓𝜋 such that 𝜋−𝑎
𝑓𝐸
∈ End(𝐸).
Since we know the factorisation of 𝑓𝜋 , we are reduced to the following problem: let 𝑔 be a
factor of 𝑓𝜋 . Is 𝜋−𝑎
𝑔 in End(𝐸)? This can be done by checking that 𝜋 − 𝑎 is trivial on 𝐸[𝑔],
but computing the 𝑔 torsion will be expensive if 𝑔 has a large prime power as a factor.
Remark 3.1. This approach to endomorphism ring computations is used in [EL07; FL08]
in dimension 2. The standard approach to compute the endomorphism ring of an ordinary
elliptic curve is to follow paths in the isogeny volcano and is due to Kohel [Koh96] (see also
[FM02]). These algorithms are exponential in the worst case. An heuristic subexponential
algorithm is presented in [BS09], and further improved in [Bis11] to only rely on the GRH.
This later algorithm has subexponential complexity (when provided with a factorisation of
the discriminant) of 𝐿(1/2, 1/√2 + 𝑜(1))(Δ𝜋 ).
Instead we use the embedding lemma. We know how 𝛼 = 𝜋−𝑎 𝑔 is supposed to act on
𝐸[𝑁 ′ ] (taking 𝑁 ′ > 𝑁(𝛼) prime to 𝑔 and 𝑁(𝛼)), if it exists as an endomorphism. If 𝛼 exists,
we get an endomorphism 𝐹 of 𝐸2𝑢 (where 𝑢 = 1, 2, 4) that embeds 𝛼 as one of its matrix
coefficient. If 𝑁 = deg(𝜋 − 𝑎), then deg(𝛼) = 𝑁(𝛼) = 𝑁/𝑔2 . If 𝑚 = 𝑁 ′ − 𝑁(𝛼) and 𝛾 an
𝑚-endomorphism on 𝐸𝑢 , then we can build Ker 𝐹 as Ker 𝐹 = {(𝛾𝑃, −𝛼𝑃) ∣ 𝑃 ∈ 𝐸𝑢 [𝑁 ′ ]}.
Since 𝑔 is prime to 𝑁 ′ , the action of 𝛼 on 𝐸[𝑁 ′ ] is well defined even if it is not a real
endomorphism, and it is easy to check that Ker 𝐹 is always isotropic in 𝐸2𝑢 [𝑁 ′ ].
So we first compute 𝐸2𝑢 / Ker 𝐹 and check that 𝐹 is indeed an endomorphism. This can
be done in polynomial time if 𝑁 ′ is powersmooth. If not, we know that 𝛼 cannot be an
endomorphism.
It is instructive to look at what happens if 𝐹 is an endomorphism of 𝐸2𝑢 . Let us assume
𝑢 = 1 here for simplicity. Then by the converse of Kani’s lemma, we know that 𝐹 must be
𝑓 −̃ 𝑔1
of the form 𝐹 = ( 1 ) for endomorphisms 𝑓1 , 𝑓2 , 𝑔1 , 𝑔2 such that 𝑔2 𝑔1 = 𝑓2 𝑓1 and
𝑓2 𝑔̃2
deg 𝑔1 = deg 𝑓2 , and deg 𝑓1 + deg 𝑓2 = 𝑁 ′ , and of course its kernel has to be the one specified
above. So there is no guarantee, even if 𝐹 is an endomorphism, that it embeds 𝛼 and not
other endomorphisms.
But, since we can evaluate 𝐹 efficiently, we can check if one of the matrix coefficient 𝛽 of
𝐹 acts like 𝛼 on 𝐸[𝑁"], where 𝑁" is powersmooth (we just need to check it on a basis of the
𝑁"-torsion).1 Since 𝐹 is an 𝑁 ′ -isogeny (because we have specified its kernel to be maximal
isotropic in the 𝑁 ′ -torsion), the individual components are (≤ 𝑁 ′ )-isogenies.
Now by Cauchy-Schwarz, if 𝛼 and 𝛽 are two endomorphisms of degree ≤ 𝑀, then 𝛼 + 𝛽
is of degree ≤ 4𝑀. So if the endomorphisms 𝛼, 𝛽 agree on 𝐸[𝑁"], they are equal as long as
𝑁"2 > 4𝑀.
So we check if we can find a matrix coefficient 𝛽 that acts like 𝛼 on 𝐸[𝑁"]. Then 𝑔𝛽
acts like 𝜋 − 𝑎 on 𝐸[𝑁"], so by the above result we have that 𝑔𝛽 = 𝜋 − 𝑎 as long as
𝑁"2 > 4 max(𝑔2 𝑁 ′ , deg(𝜋 − 𝑎)) = 4𝑔2 𝑁 ′ (since we take 𝑁 ′ > deg((𝜋 − 𝑎)/𝑔)). In this
case, (𝜋 − 𝑎)/𝑔 is indeed an endomorphism, and the converse is immediate.
1To be more precise, we need to test 𝛾𝛽 for all automorphisms 𝛾 of 𝐸. But 𝐸 has no automorphisms apart
from [−1], unless 𝑗(𝐸) = 0 or 1728. And we know the endomorphism ring of these curves.
Some applications of higher dimensional isogenies to elliptic curves 5

Of course we will follow this approach step by step, so we already know that say (𝜋 −𝑎)ℓ/𝑔
(with ℓ ∣ 𝑔) is an endomorphism and we just need to check that ℓ𝛽 acts like (𝜋 − 𝑎)ℓ/𝑔,
which allows to take a smaller 𝑁".
We do at most log|Δ𝜋 | steps, and the index 𝑓𝜋 , hence its divisors, are at most |Δ𝜋 |. The
full computation is thus polynomial in log 𝑞 and log|Δ𝜋 |. Since log|Δ𝜋 | = log(𝑞2 − 4𝑡) =
𝑂(log 𝑞), we get using Section 2:
Theorem 3.2. Given an ordinary elliptic curve 𝐸/𝔽𝑞 and the factorisation of the discriminant
of the Frobenius 𝜋, End(𝐸) can be determined in polynomial time 𝑂(log7+2𝑢 𝑞) arithmetic
operations.
Here we can take 𝑢 = 4 to get a proven complexity, or 𝑢 = 2 to get an heuristic one.
Remark 3.3. The dominating step of the endomorphism ring computation is thus the
factorisation of the discriminant. The (unconditional randomised) proven complexity of the
factorisation is 𝐿(1/2, 1 + 𝑜(1))(Δ𝜋 ) by [LP92], and the heuristic complexity of the NFS
algorithm is of 𝐿(1/3, (64/9)1/3 +𝑜(1))(Δ𝜋 ) by [BLP93]. Since factorisation can be done in
polynomial time on a quantum computer by Schor’s algorithm [Sho94], the endomorphism
ring computation is in quantum polynomial time. Surprisingly it seems that no such quantum
polynomial time algorithm was known before this article.
Remark 3.4. The same framework should allow to compute the endomorphism ring of an
ordinary abelian variety, provided that we can work with real multiplication isogenies (and
embed them powersmoothly). We leave that for future work. It would also be very interesting
to be able to move in the ℓ-isogeny volcano in time polynomial in log ℓ.

4. Point counting and canonical lifts

Let 𝐸/𝔽𝑞 , 𝑞 = 𝑝𝑛 ,
be an ordinary elliptic curve. The Frobenius 𝜋𝑞 has two eigenvalues,
one 𝜆 which is invertible modulo 𝑝, and the other is 𝑞/𝜆. Since 𝜋𝑞 is easy to evaluate, we can
evaluate its action on the tangent space 𝑇0 𝐸, but this gives us 0 since it is inseparable. The
action of the Verschiebung 𝜋𝑞 on 𝑇0 𝐸 allows us to recover 𝜆 mod 𝑝, hence the trace of 𝜋
modulo 𝑝. Since [𝑞] = 𝜋𝑞 ∘ 𝜋𝑞 2, it is easy to evaluate the Verschiebung on a point 𝑃 which
is in the image of 𝜋𝑞 . Unfortunately this does not help us to evaluate it on the tangent space,
since the image of the Frobenius there is trivial. An alternative is to compute the kernel of
the Verschiebung and apply Vélu’s formula, but since the degree of the Verschiebung is 𝑞, this
is too expensive. (At this point we would actually compute the small Verschiebung instead
which is of degree 𝑝).
Instead, since the Verschiebung is easy to compute on the 𝑁 ′ -torsion (𝑁 ′ > 𝑞 pow-
ersmooth), we can embed it into a higher dimensional endomorphism 𝐹 of 𝐸2𝑢 ; this also
embeds its dual 𝜋𝑞 . We can then evaluate 𝐹 on the tangent space at 0, this recover the action
of 𝜋𝑞 and 𝜋𝑞 on 𝑇0 𝐸. We thus get a polynomial time algorithm to recover 𝜆 mod 𝑝. Like
above, it is more efficient to only embed 𝜋𝑝 and 𝜋𝑝 and recover 𝜆 via a norm, see [Rob21,
§ 6].
Using Section 2, this algorithm to recover 𝜆 mod 𝑝 costs 𝑂(log6+2𝑢 𝑝) arithmetic oper-
ations.
Notice the similarity with Schoof algorithm: in Schoof we compute the action of 𝜋𝑞 on
small ℓ𝑖 -torsions groups 𝐸[ℓ𝑖 ], recover 𝜒𝜋 mod ℓ𝑖 via some DLP computations in 𝐸[ℓ𝑖 ],

2We can also write 𝜋 = 𝑡 − 𝜋 , this is closer in spirit to the description of Section 1, but of course at this
𝑞 𝑞
point we do not know the trace 𝑡 yet.
6 DAMIEN ROBERT

then reconstruct 𝜒𝜋 mod ∏ ℓ𝑖 by the CRT. In our approach, we also compute 𝜋𝑞 (or 𝜋𝑝 )
on these 𝐸[ℓ𝑖 ], but we instead use the action to reconstruct 𝐹 a ∏ ℓ𝑖 isogeny embedding 𝜋𝑞
and 𝜋𝑞 (or 𝜋𝑝 and 𝜋𝑝 ).
The nice thing about having the isogeny 𝐹 is that lifting 𝐹 gives a lift of the Frobenius. We
can thus use 𝐹 to see how 𝜋𝑝 acts on the deformation space of 𝐸, and recover the canonical
lift to precision 𝑚 as in [MR22].
Usually, the action of 𝜋𝑝 on the deformation space was computed using the modular
polynomial 𝜙𝑝 . The modular polynomial 𝜙𝑝 is of size 𝑂(𝑝3 ), and then evaluating to 𝑝-adic
precision 𝑚 cost 𝑂(𝑛𝑚𝑝̃ 2 ). In [MR22], we explained how to compute the action via lifting

the kernel of the Verschiebung 𝜋𝑝 instead; since it is of degree 𝑝 this allows co compute
̃
canonical lift in time 𝑂(𝑛𝑚𝑝). (A slight annoyance is that by using the Verschiebung rather
than the Frobenius, we lose one bit in the 𝑝-adic precision at each step. In particular we need
another method to boostrap to precision 𝑚 = 2: we use the fact that the étale 𝑝-torsion only
lifts to 𝐸̃ if 𝐸̃ = 𝐸̂ modulo 𝑝2 ). Here we are going to use 𝐹 instead, this way we can recover
the action of 𝜋𝑝 rather than 𝜋𝑝 so there is no loss of precision, but more importantly 𝐹 (and
its lift) can be evaluated in time polynomial in log 𝑝.
Let us describe this in more details. Assume for now for simplicity that our 𝐹 is in
dimension 2. Let 𝜎 be the lift of the Frobenius to ℚ𝑞 , and 𝐸̂ denote the canonical lift of 𝐸,
𝜎(𝐸)̂ is then the canonical lift of 𝜎(𝐸). 𝐹 is an endomorphism of 𝐸 × 𝜎(𝐸). The canonical
lift 𝐸̂ is the unique lift 𝐸̃ of 𝐸 such that 𝜋𝑝 lifts to 𝜋̂𝑝 ∶ 𝐸 ̃ → 𝜎(𝐸 ̃). We thus look for 𝐸 ̃ such
̃ ̃
that the unique lift of 𝐹 (as an isogeny) to 𝐸 × 𝜎(𝐸) is still an endomorphism (the lift is
unique since 𝐹 is étale). We remark that lifting 𝐹 amount to lifting its kernel, which can be
done by lifting generators of this kernel to points of 𝑁 ′ torsion in 𝐸 ̃ via a Newton iteration.
Let us look at how to lift from precision 𝑚 = 1 to precision 𝑚 = 2, then 𝑚 = 4, and so
on. We fix an arbitrary lift 𝐸 ̃′ of 𝐸 and another 𝐸 ̃′ of 𝜎(𝐸). We lift 𝐹 to compute its action on
1 2
̃ ×𝐸
𝐸 ′ ̃ . We can then deform 𝐸
′ ̃ to another lift 𝐸
′ ̃"1 , compute the action of 𝐹 again, and then
1 2 1
deform 𝐸 ̃′ to 𝐸̃"2 and compute the action of 𝐹. This is enough, via linear algebra, to be able
2
to compute the action of 𝐹 on arbitrary lifts of 𝐸1 and 𝐸2 , namely if 𝑗(𝐸 ̃1 ) = 𝑗(𝐸 ̃′ ) + 𝜀1 𝑝,
1
̃ ̃′ ̃ ̃ ̃ ̃ ′ ̃′ ̃
𝑗(𝐸2 ) = 𝑗(𝐸2 ) + 𝜀2 𝑝, we can compute 𝐽(𝐸1 × 𝐸2 / Ker 𝐹) = 𝐽(𝐸1 × 𝐸2 / Ker 𝐹) + 𝑈𝜖1 + 𝑉𝜖2 ,
where 𝐽 is a set of modular invariants in dimension 2. Note that we only care about the
deformation of 𝐸1 × 𝐸2 to a product abelian surface, that is why we only have two parameters
𝜀1 , 𝜀2 rather than three.
If 𝐸̃ is a lift of 𝐸, the Frobenius 𝜋𝑝 ∶ 𝐸 → 𝜎(𝐸) lifts uniquely to 𝐸 ̃→𝐸 ̃2 . However in
general the Verschiebung 𝜎(𝐸) → 𝐸 does not lift to an arbitrary lift 𝐸 ̃2 , and if it does the lift
is not unique. In other words, the stack of elliptic curves with a degree 𝑝 isogeny is étale at
(𝐸, 𝜋𝑝 ) when 𝐸 is ordinary, but not at (𝐸, 𝜋𝑝 ). In fact, by looking at the Serre-Tate formal
moduli, it is classical that if 𝐸 ̃ = 𝐸̂ to precision 𝑚, and 𝜋 ̃𝑝 ∶ 𝐸 ̃→𝐸 ̃2 is a lift of 𝜋𝑝 , then
̃ ̂
𝐸2 = 𝜎(𝐸) to precision 𝑚 + 1. Hence the Verschiebung 𝜋𝑝 can be lifted to 𝐸 ̃2 if 𝐸
̃2 = 𝐸̂ to
precision at least 2, and in this case, among the multiple possible lifts, there is a canonical
one which is the dual of the lift of the Frobenius 𝐸 ̃1 → 𝐸 ̃2 . It is characterised by being the
unique lift whose kernel lies in the maximal unramified extension of ℚ𝑞 .
Anyway going back to our situation, when taking an arbitrary lift 𝐸 ̃1 and 𝐸 ̃2 of 𝐸 and
𝜎(𝐸), the lift of 𝜋𝑝 to 𝐸 ̃1 has codomain another elliptic curve 𝐸 ̃2,𝑐𝑎𝑛 , and so the codomain
of the lift 𝐹̃ of 𝐹 will not be a product abelian surface unless 𝐸 ̃2 = 𝐸 ̃2,𝑐𝑎𝑛 . On the moduli
of abelian surfaces, the modular form 𝜒10 has for locus the split surfaces, so plugging up
Some applications of higher dimensional isogenies to elliptic curves 7

𝜒10 in the expression of 𝐽(𝐸 ̃1 × 𝐸̃2 / Ker 𝐹)̃ above we get a linear equation between 𝜖1 and
𝜖2 giving the locus where 𝐸 ̃2 = 𝐸 ̃2,𝑐𝑎𝑛 . On this locus, the Verschiebung lifts from 𝐸 ̃2 to 𝐸̃1
by the above discussion, hence 𝐹 lifts as a matrix. Alternatively, we could plug the equation
𝐽(𝐸̃1 × 𝐸̃2 / Ker 𝐹)̃ = 𝐽(𝐸 ̃1 × 𝐸
̃2 ).
The canonical lift 𝐸̂ at precision 2 can then be recovered by plugging the further equation
𝑗(𝐸̃2,𝑐𝑎𝑛 ) = 𝜎(𝑗(𝐸 ̃1 )). This way we obtain an Artin-Schreier equation 𝐴𝜎(𝜀1 ) + 𝐵𝜀1 +
𝐶 = 0. Since the lifting solution is unique, 𝐴 and 𝐵 are not both 0, so they are uniquely
determined (up to normalising 𝐶) from 𝑗(𝐸)̂ and 𝜎(𝑗(𝐸)). ̂ In the general case where we are
̃
in dimension 2𝑢, we also use the equations 𝑗(𝐸2,𝑐𝑎𝑛 ) = 𝜎(𝑗(𝐸 ̃1 )) and 𝐽(𝐸̃1 × 𝐸 ̃2 / Ker 𝐹)̃ =
̃ ̃
𝐽(𝐸1 × 𝐸2 ) where 𝐽 is a set of modular equations to recover this Artin-Schreier equation.
From the Serre-Tate formal moduli, we then know that 𝐴 is of valuation 0 and 𝐵 of
valuation 1. We can thus solve the equation to precision 𝑚′ = 1 and then lift it via Newton
iterations to the precision 𝑚′ = 2𝑚 that we need. This allows us to compute our canonical
lift from precision 1 to 2, and we iterate.
Of course, we can also use the lift 𝐹̃ to compute the action of 𝜋̂ 𝑝 on 𝑇0 𝜎𝐸̂ to precision 𝑚. By
Section 2, the dominating cost is the initial decomposition of 𝐹 as a product of small isogenies
which cost 𝑂(log6+2𝑢 𝑝) arithmetic operations, then the evaluations of 𝐹̃ at precision 𝑚
which cost 𝑂(𝑛𝑚 log3+2𝑢 𝑝) arithmetic operations. In summary:
Theorem 4.1. Given 𝐸/𝔽𝑞 an ordinary elliptic curve, 𝑞 = 𝑝𝑛 , the canonical lift 𝐸̂ of 𝐸 can
̃
be computed to precision 𝑚 in time 𝑂(𝑛𝑚 log4+2𝑢 𝑝 + 𝑛 log7+2𝑢 𝑝), and the cardinal of 𝐸 in
̃ 2 log 4+2𝑢 7+2𝑢
time 𝑂(𝑛 𝑝 + 𝑛 log 𝑝).
Here 𝑢 = 1, 2 or 4. We can only take 𝑢 = 1 when 𝑝 is a special form. We can always take
𝑢 = 4. We can also take 𝑢 = 2, the cost of finding 𝑁 ′ described in Section 2 is heuristic,
but once it is found it is easy to check that 𝑁 ′ works. Furthermore this can be seen as a
precomputation depending only on 𝑝.
We can thus list the complexity of the different point counting algorithm, according to
the underlying cohomology theory they use, as follow:
• Étale cohomology: Schoof ’s algorithm [Sch85] is in 𝑂(log5 𝑞) = 𝑂(𝑛5 log5 𝑝), and
̃ 4 ̃ 4 log4 𝑝).
SEA’s algorithm [Sch95] in 𝑂(log 𝑞) = 𝑂(𝑛
̃ 3 𝑝)
• Rigid (Monsky-Washnitzer) cohomology: Kedlaya’s algorithm [Ked01] is in 𝑂(𝑛
̃ 3.5 𝑝1/2 + 𝑛5 log 𝑝).
and Harvey’s variant [Har07] in 𝑂(𝑛
• Crystalline cohomology: Satoh’s algorithm [Sat00] (after improvements by Harley) is
̃ 2 𝑝2 ), and it has been improved to 𝑂(𝑛
in 𝑂(𝑛 ̃ 2 𝑝) in [MR22]. The (proven version of
̃ 2 15 ̃ 2 log11 𝑝).
the) current algorithm is in 𝑂(𝑛 log 𝑝) and the heuristic version in 𝑂(𝑛
Remark 4.2. Over an ordinary abelian variety, the same method allows to recover the
tangent matrix of 𝜋̂ 𝑝 and 𝜋̂𝑝 to precision 𝑚 in time 𝑂(𝑛𝑚 log𝑂(1) 𝑝) (where the 𝑂(1) hides
a dependency at least linear in 𝑔).
Remark 4.3. Another way to compute a canonical lift with a complexity sublinear in 𝑝 is
to compute the endomorphism ring and its class group, and then find a decomposition of
the Frobenius as a product of small ideals. In other word, to find a cycle of small isogenies
from 𝐸 to 𝐸. (To forgo having to compute End(𝐸), one can also work with the class group
of ℤ[𝜋𝐸 ].) This gives an algorithm which is subexponential (under GRH) in 𝑝, see [CH02,
Theorem 2]. (A similar approach is also implicit in [Koh08, § 4.2], where Kohel tries to find
a path of small isogenies from 𝐸 to 𝜎(𝐸).) Our present algorithm improves this complexity
from subexponential to polynomial.
8 DAMIEN ROBERT

References
[Bis11] G. Bisson. “Computing endomorphism rings of elliptic curves under the GRH”.
In: Journal of Mathematical Cryptology (2011). arXiv: 1101.4323.
[BS09] G. Bisson and A. Sutherland. “Computing the endomorphism ring of an ordinary
elliptic curve over a finite field”. In: Journal of Number Theory (2009).
[BLP93] J. Buhler, H. Lenstra, and C. Pomerance. “Factoring integers with the number
field sieve”. In: The development of the number field sieve (1993), pp. 50–94.
[CD22] W. Castryck and T. Decru. An efficient key recovery attack on SIDH (preliminary
version). Cryptology ePrint Archive, Paper 2022/975. 2022. url: https :
//eprint.iacr.org/2022/975.
[CH02] J.-M. Couveignes and T. Henocq. “Action of modular correspondences around
CM points”. In: International Algorithmic Number Theory Symposium. Springer.
2002, pp. 234–243.
[EL07] K. Eisentrager and K. Lauter. “A CRT algorithm for constructing genus 2 curves
over finite fields”. In: AGCT-11 (2007).
[FM02] M. Fouquet and F. Morain. “Isogeny volcanoes and the SEA algorithm”. In:
Algorithmic number theory (Sydney, 2002). Vol. 2369. Lecture Notes in Comput.
Sci. Berlin: Springer, 2002, pp. 276–291. doi: 10.1007/3-540-45455-1_23.
[FL08] D. Freeman and K. Lauter. “Computing endomorphism rings of Jacobians of
genus 2 curves over finite fields”. In: Algebraic geometry and its applications
(2008), pp. 29–66.
[Har07] D. Harvey. “Kedlaya’s algorithm in larger characteristic”. In: Int. Math. Res.
Notices (2007).
[Kan97] E. Kani. “The number of curves of genus two with elliptic differentials.” In:
Journal für die reine und angewandte Mathematik 485 (1997), pp. 93–122.
[Ked01] K. Kedlaya. “Counting points on hyperelliptic curves using Monsky-Washnitzer
cohomology”. 2001. arXiv: math/0105031.
[Koh96] D. Kohel. “Endomorphism rings of elliptic curves over finite fields”. PhD thesis.
University of California, 1996.
[Koh08] D. R. Kohel. “Complex multiplication and canonical lifts”. In: Algebraic Geometry
And Its Applications: Dedicated to Gilles Lachaud on His 60th Birthday. World
Scientific, 2008, pp. 67–83.
[LP92] H. W. Lenstra and C. Pomerance. “A rigorous time bound for factoring integers”.
In: Journal of the American Mathematical Society 5.3 (1992), pp. 483–516.
[MR22] A. Maiga and D. Robert. “Towards computing canonical lifts of ordinary elliptic
curves in medium characteristic”. Mar. 2022. url: http://www.normalesup.
org/~robert/pro/publications/articles/fast_canonical_lift_g1.pdf.
[MM22] L. Maino and C. Martindale. An attack on SIDH with arbitrary starting curve.
Cryptology ePrint Archive, Paper 2022/1026. 2022. url: https://eprint.
iacr.org/2022/1026.
[Rob21] D. Robert. “Efficient algorithms for abelian varieties and their moduli spaces”.
HDR thesis. Université Bordeaux, June 2021. url: http://www.normalesup.
org/~robert/pro/publications/academic/hdr.pdf. Slides: 2021-06-HDR-
Bordeaux.pdf (1h, Bordeaux).
[Rob22a] D. Robert. “Breaking SIDH in polynomial time”. Aug. 2022. url: http://www.
normalesup.org/~robert/pro/publications/articles/breaking_sidh.
pdf. eprint: 2022/1038.
REFERENCES 9

[Rob22b] D. Robert. “Evaluating isogenies in polylogarithmic time”. Aug. 2022. url:

http : / / www . normalesup . org / ~robert / pro / publications / articles /
polylog_isogenies.pdf. eprint: 2022/1068.
[Sat00] T. Satoh. “The canonical lift of an ordinary elliptic curve over a finite field and
its point counting”. In: J. Ramanujan Math. Soc. 15.4 (2000), pp. 247–270.
[Sch85] R. Schoof. “Elliptic curves over finite fields and the computation of square roots
mod 𝑝”. In: Mathematics of computation 44.170 (1985), pp. 483–494.
[Sch95] R. Schoof. “Counting points on elliptic curves over finite fields”. In: J. Théor.
Nombres Bordeaux 7.1 (1995), pp. 219–254.
[Sho94] P. W. Shor. “Algorithms for quantum computation: discrete logarithms and
factoring”. In: Proceedings 35th annual symposium on foundations of computer
science. Ieee. 1994, pp. 124–134.
INRIA Bordeaux–Sud-Ouest, 200 avenue de la Vieille Tour, 33405 Talence Cedex FRANCE
Email address: [email protected]
URL: http://www.normalesup.org/~robert/

Institut de Mathématiques de Bordeaux, 351 cours de la liberation, 33405 Talence cedex

FRANCE